We in Kazbek d.o.o., the company based in Dubrovnik, Lapadska obala 25, OIB: 51417113283 (hereinafter “Kazbek“ or “we“) highly respect your privacy and we recognize that privacy protection, as well as protection of your personal data, is an important issue.

We take this opportunity to inform you how we process your personal data we collect directly from you or third parties.

By using any of our products or services and/or by agreeing to this Statement,e.g. in the context of registering for any products or services, you understand and acknowledge that we will collect and use your personal data as specified in this Statement. This Statement is subject to change, and the date of the last change is specified in the title of the Statement.

Your rights

Measures to protect your personal data

Users of hotel services

Why do we collect and process your personal data?

What kind of personal data do we collect?

What sources do we use when collecting your personal data?

Who do we give your personal data to?

How long do we retain your personal data?

Marketing and social networks

Cookies

Links to websites and third parties services

Video surveillance

Business partners and suppliers

Job applicants

If you have any questions regarding this Statement or you want to submit the request for exercising your right to protect your personal data, you can contact Mrs Pave Miloglav who is our data protection officer via e-mail pave@kazbek.hr by post to the following address: Lapadska obala 25, p.p. 213, 20 000 Dubrovnik

Your rights are stated below:

the right to access to personal data i.e. the right to obtain information about which of your personal data are processed and the details about their processing

the right to rectification of personal data,

the right to erasure of personal data,

the right to restriction of personal data,

the right to object to processing of your personal data,

the right not to be subject to the decision based solely on automated processing, including profiling. In this respect, we would like to emphasize that we do not apply such decision making process as all decisions are made with human involvement.

The right to lodge a complaint with a supervisory authority. In Croatia that is Croatian Personal Data Protection Agency, Martićeva street 14, 10 000 Zagreb, e-mail: azop@azop.hr

Exercising the above mentioned rights depends on the reason why we process personal data and on what grounds. For example, we cannot erase personal data even if you request so, if required by law to keep them for a certain period.

Upon your request, we shall act without delay and inform you about the activities we have undertaken.

You can also contact us if you have any further questions related to your personal data processing.

2. Measures to protect your personal data

We are aware how important the protection of your personal data is so we want to justify in all respects the trust you placed in us by choosing our services.

In order to prevent unauthorised access, disclosure, exchange, erasure or any other abuse of your personal data we provide certain technical, organizational and staff -related protection measures. The aim of these measures is to ensure that only those persons who need the information to perform their job tasks have access to those information in electronic or physical form, and to the extent necessary for that purpose. We recognize the importance an individual person has in personal data protection, we provide internal and external trainings to make sure that our employees and other persons we hire are well informed about the legal obligations and internal procedures related to personal data protection. Specific protection measures are detailed in by-laws and procedures we have set out for that purpose. Depending on technological advances, a regular review of technical protection measures will be carried out so as to adapt to market standards.

Our partners and service providers who we share personal data with are required to assume contractual obligations and to provide the same level of personal data protection that you expect from us. Before choosing a partner who will perform data processing for us ( data processor) we take reasonable measures to ensure they do so in compliance with legal obligations related to personal data protection.

For online transactions, we use reasonable technological measures to protect the personal information that you transmit to us via our site (e.g. when you write a credit card number SSL encryption is used to provide secure transaction). Unfortunately, however, no security system or system of transmitting data over the Internet can be guaranteed to be entirely secure to prevent interception or other illegal use of personal data.

In order to protect your own privacy, do not send the number of credit cards by e-mail or excessive amount of personal data.

We shall not contact you by mobile phone, text message or email in order to request confidential personal data or credit card details. If you receive such a request, do not reply to it. We shall request credit card details by telephone only when you book your accommodation or promotional package. We kindly ask you to inform Mrs Pave Miloglav, our data protection officer, about such messages.

3. Users of hotel services

3.1 Why do we collect and process your personal data?

We collect and process your personal data when it is required by law, to provide services you requested, but also when you give consent for processing your personal data for specific purposes which are specified below:

communication with you: when you contact us and require information about our services, our offer or you make complaints about our services, we will process the data you have submitted so that we can contact you later and act as you requested

booking of accommodation and other hotel facilities: when you are interested in accommodation or other services we offer, we collect your data so that we can check the hotel occupancy and to arrange, organize and provide services you requested on time and as ageed ( e.g. accommodation, organization of wedding receptions, banquets, conferences, SPA treatments etc)

checking in and checking out: if you use accommodation service in our hotels, it is our legal obligation to collect certain personal data in order to register your arrival

providing and charging for hotel services: during your stay in the hotel we collect data about special requests you have made so that we can provide expected level of hospitality. We also collect data about the services you have used so that we can track your expenses and collect payment e.g. use of a bar, minibar, a la carte, room service, list of telephone calls, list of the movies watched, use of transport services, excursions, babysitting services etc. In order to secure the payment we collect the credit card number.

event planning: in order to fulfill contractual obligations we collect your personal data when you are an event planner

When you participate in or visit the event taking place on our premises, we collect data allowing us to to provide instructions or information about the events

use of the exchange office services at our properties: only in certain cases when you use money exchange service in our hotels, we are legally obliged to collect certain information, in compliance with the regulations on money laundering and financing terrorist activities

monitoring and improving the service quality: Your satisfaction is of utmost importance to us. Questionnaires are provided for you to complete and assess our services and make comments. The completion of such questionnaires and extent to which you decide to provide your personal data is your own decision.

gaining benefits: as agreed with our partners, we offer certain benefits to holders of some cards (e.g. early check-in). To make sure you can use the benefit we need the data about your card type. Likewise, in some cases we may offer benefits to the persons who participate in our programs ( discounts for corporate lunches). Membership in such programs is voluntary, and you can express your consent by filling in the membership application form.

protection of your security and your property via video surveillance: some areas in our hotels and surrounding area are under video surveillance and this is indicated by clear video surveillance signs. During your stay in the hotel you may be captured by video camera.

3.2. What kind of personal data do we collect?

We collect only data necessary for the purposes described in this Statement. Depending on the circumstances following data may be included: your contact information, information related to your reservation, stay or visit to the hotel, your preferences, your name, date of birth, gender, identity card number, credit card number, country of birth, citizenship, visa number if you are subject to visa regime, place of entry in the Republic of Croatia, date of arrival to the hotel and date of departure, personal expenses, information about the airline and the vehicle you use to come to our hotel, opinions about our services ( if you decide to provide your personal data in the questionnaires), information about promotional program you are part of or our partners ' prize winning competition, information about the events you organize on our premises and the names of the participants of such events, but also other information you decide to provide or that we obtain for the purposes described above. Besides the information about yourself, we may also require the information about the persons who travel with you.

We will not collect information about your health, religious and philosophical beliefs and other sensitive information unless it is volunteered by you. The purpose of data collection is to provide better service or to meet your special needs and requirements ( e.g. provision of disability access, not serving the food you are allergic to etc).

Collection of above mentioned data may be required by law, or when it is necessary to close an agreement and provide services agreed upon. The data may also be collected based on your consent. When collecting is based on your consent we shall clearly indicate that.

3.3. What sources do we use when collecting your personal data?

We may collect your personal data directly from you ( via email, telephone, mobile phone, web form, face-to-face communication with you), but also from other persons, e.g. persons that travel with you, tourist agencies, online platforms you make reservations of our hotel services on, event planners in our hotels, credit card providers and other contractual partners. Those partners should act in accordance with applicable laws and regulations related to private data protection.

When you provide personal data of other persons, you make sure that the person whose personal data you have provided is informed about it and accepts the way we use their personal data.

When we do not collect your personal data directly from you but from other persons stated above, we are responsible only for the actions we take related to personal data upon their receipt. We are not responsible and may not be responsible for the actions related to your personal data taken by the persons we receive your data from. Therefore, we kindly ask you to read privacy protection policies related to other persons you give your personal data to.

3.4. Who do we give your personal data to?

We give your personal data only to those recipients who need them for the above stated purposes, and only to the extent necessary. We make sure that our partners maintain confidentiality of personal data as required by the contract.

For example, when you stay in our hotels it is our legal obligation to register your stay with relevant state authorities.

In order to provide certain services , we cooperate with external partners who offer such services, e.g. transport organization, excursion organization, car hire, yacht hire and hire of other equipment, event organization on our premises etc (if appropriate, we can share the data with the guests who participate in such an event). When you want us to provide such a service, we may disclose your personal data to our partners we cooperate with to the extent necessary for them to provide a service for you ( e.g. getting in touch with you, assessing the compliance with travel regulations or being charged special rates). At your request, we can contact external service providers so that you can create your itineraries by choosing a destination, activities and restaurants from the list we customized for you based on your preferences and the data received from third parties.

When you organize the event that takes place on our premises and you require services related to such an event, at your request we can share information about your event with third parties who can send you offers for the services you require ( which are usually restricted and include only your name and contact information) or we can give you contact information of our partner so you can contact them directly.

In our business operations we use various software solutions and we hire specialized companies for their maintenance, such as software solutions for booking and hotel business management, web page maintenance and provision of secure exchange of credit card numbers and payments. As our partners may have access to your personal data when providing those services, they assume contractual obligations to conform to the highest standars of personal data protection. Personal data are usually stored on the servers in the European Union. The data you exchange via our website ( except for the booking via our website) are stored on the server in the USA, and the adequate protection is guaranteed by signing standard contractual clauses between the company that maintains our webpage and their partner in the USA.

Besides above mentioned cases, your data may be disclosed when required by law, to fulfil the requirements of state authorities we are legally obliged to fulfil in order to protect our rights or the rights of our visitors, employees and public, and to react in emergency.

3.5. How long do we retain your personal data?

We retain your personal data no longer than is necessary for the purposes for which the personal data are processed.

Data about credit card shall be deleted 10 days after your check- out i.e. 10 days after your arranged date of departure in case you do not come. Certain data shall be deleted after a one-year period, while some data shall be deleted five years after your stay is completed. Bills (that include the extent of data required by law) shall be retained for eleven years, the minimum period we are obliged to retain them.

When the retention time expires the personal information printed on paper will be destroyed in a secure manner, such as by cross-shredding or incinerating and, if saved in electronic form, will be permanently destroyed to ensure the information may not be restored at a later time.

4. Marketing and social networks

Marketing and social networks

If you decide to participate in events or offers through social media we sponsor, we will be able to collect certain data from your account in the social media which are compatible with your settings within the social media service. We can enable you to participate in photography contests, for example, photographs of your stay in our hotel, which you can share with your contacts on social networks for voting, sharing offers or other promotions.

If you participate in some of the prize winning games or competitions your information can be exchanged with our sponsor or a third party sponsor.

With your consent, we can also use user-generated content (such as photographs) from social media for the purpose of advertising on websites or on our website and applications.

5. Cookies

When you visit and communicate with our websites, we collect other information that cannot be used to identify you in relation with your use of websites, such as the number of visits to our websites, parts of our web page you browse and the length of time you spent on them (“Other data”). Such data are collected and analysed in order to improve our services and make sure that you find our website, our products and services interesting.

We use cookies and other technologies (such as “pixel tags”, „web beacons “, „empty GIFs “, links in emails, JavaScript, IDs of devices associated to Google or Apple or similar technologies) in order to collect such information („cookies “).

Cookies are small text files that collect data other than personal and send them and store them on your computer, smartphone or any other device for accessing the Internet each time you visit these web pages. The purpose of the cookies used by our web page is to improve the user experience. Kazbek does not use cookies of third parties the purpose of which is targeted advertising.

On our web page we use the following types of cookies:

Session Cookies: We use these cookies to assign a randomly generated unique identification number to your computer each time you visit one of our web pages. The validity of a session cookie automatically expires when you close the browser. Session cookies are used to support the functionality of our web pages and to find out more about your usage of our web page or pages you have visited, which links you use and how long you spend on each page, on which part of the page you decided to leave it etc.

Persistent Cookies: They allow web pages to recognise the user on their next visits and serve to speed up or optimise your online experience, the services or functions offered by the web page. Persistent cookies do not expire right after you close your browser, but rather remain on the hard drive until they expire after a certain period of time or are deleted by the user.

In order to gain a better understanding of our users, we can also use information that we collected and combined or information received from third parties (for example, using Google Analytics in order to establish the percentage of our visitors who belong to a specific age group or are located in a specific area).

We use Google Analytics, which creates numerous first-party cookies. They enable us to make sure that later visits to our web page are assigned to the same (unique) visitor, and they tell us how you have found us. Google Analytics is a tool that helps website owners measure the users’ behaviour when interacting with the web content. Google Analytics does not collect any personal information about the users of our web pages. If you do not want Google Analytics to process data that refer to you, you may download the plug-in available at https://tools.google.com/dlpage/gaoptout.

6. Links to websites and third party services

Our website may contain links to websites of third parties. Bear in mind that we cannot be held accountable for the data collected, used, maintained, exchanged or published by the third parties. If you offer information on websites of third parties, i.e. use them, the privacy rules and the terms and conditions of use for these websites will apply. We recommend that you read the privacy rules for the websites you visit prior to sharing your personal data.

Kazbek d.o.o. can also collaborate with a limited number of Internet service providers in order to allow Internet access to our guests. Your use of Internet services on our premises is subject to terms and conditions of use and privacy rules set by the Internet service provider of the third party. These terms and conditions and rules can be accessed using links on the service registration page or by visiting the website of the Internet service provider.

7. Video surveillance

We use video surveillance on our premises for the following purposes:

To protect our guests and other individuals who, for whatever reason, find themselves in the area supervised by the Company and to protect their property,

To supervise the entrance and exit from the premises and to make employees less exposed to the risk of robberies, break-ins, violence, thefts and similar events at work or related to work,

To protect the Company’s property,

To protect unauthorised entering the Company’s premises,

To reduce risks and increase the protection of people working in money exchange.

We base the application of video surveillance on our legitimate interest in protecting people and property, while in case of money exchange it is our legal obligation to provide video surveillance of the exchange office.

We have introduced strict rules the purpose of which is to make sure that the recordings are automatically erased after 30 days by recording new content over the old one, that video surveillance can be accessed only by those who need it to do their jobs and that the recordings are to be viewed only in case when we find out there is a good reason for it, i.e. fulfilling one of the above stated purposes (and that only with the consent of the authorised person), these being the only recordings to be kept longer, until there is a need for it.

Recordings obtained through video surveillance are not to be delivered to third parties, except in case there is a request or order of the competent state authority (e.g. the police, state attorney, courts, labour inspectorate). They may be used as evidence in court, administrative, arbitral or other equivalent proceedings, in accordance with current procedural rules applicable in such proceedings. The recordings are not to be transferred abroad.

The video surveillance we use does not belong to intelligent video surveillance systems, it is not connected with other systems nor shall we use video surveillance for profiling or automated decision making.

8. Business partners

For the purpose of contacting our business partners and suppliers, and related to concluding and executing contracts (i.e. arrangements for delivery of goods and service execution), we gather contact information of our business partners who are natural persons and their employees ( e.g. name, number of company phone/mobile, email address). These data are retained until the termination of business relationship and we do not deliver them to third parties nor we export them to third countries. The data collected are not of personal nature but are related to the completion of work tasks.

9. Job applicants

You can send us your open job application to our email address info@kazbek.hr or by mail to our address. Providing data is voluntary. Personal data received in this way are processed only for recruitment purposes and are not exported to other countries nor to individuals outside Kazbek d.o.o.. The received CVs will be retained no longer than one year and will be erased earlier upon your request.

In case you have applied for an advertised job and have not been selected, your data will be erased upon the completion of the selection procedure unless you specifically agree that we retain them longer for possible future employment.